search

Azure / application-gateway-kubernetes-ingress

This is an ingress controller that can be run on Azure Kubernetes Service (AKS) to allow an Azure Application Gateway to act as the ingress for an AKS cluster.
https://azure.github.io/application-gateway-kubernetes-ingress
MIT License
668 stars 415 forks source link

Allow to specify extra settings used by AGIC on addonProfiles #1537

Open brwilkinson opened 1 year ago

brwilkinson commented 1 year ago

Current addonProfile IngressApplicationGateway available settings

        "addonProfiles": {
            "IngressApplicationGateway": {
                "enabled": true,
                "config": {
                    "applicationGatewayName": "AEU1-PE-CTL-D1-waf01",
                    "effectiveApplicationGatewayId": "/subscriptions/4185fa9b-f470-466a-b3ae-8e6c3314a543/resourceGroups/AEU1-PE-CTL-RG-D1-aks01/providers/Microsoft.Network/applicationGateways/AEU1-PE-CTL-D1-waf01",
                    "subnetCIDR": "10.182.241.0/24"
                }
            }

1) Add subnet name setting

current behavior

Currently we have to name the subnet '${AppGatewayName}-subnet'

desired behaviour

Add an extra property to specify the name of the desired subnet to use. E.g. subnetName

        "addonProfiles": {
            "IngressApplicationGateway": {
                "enabled": true,
                "config": {
                    "applicationGatewayName": "AEU1-PE-CTL-D1-waf01",
                    "effectiveApplicationGatewayId": "/subscriptions/4185fa9b-f470-466a-b3ae-8e6c3314a543/resourceGroups/AEU1-PE-CTL-RG-D1-aks01/providers/Microsoft.Network/applicationGateways/AEU1-PE-CTL-D1-waf01",
                    "subnetCIDR": "10.182.241.0/24"
                    "subnetName": "snWAF01"  // <--- Allow for these 2 extra settings    \/
                    "WAF_V2_PolicyId": "/subscriptions/4185fa9b-f470-466a-b3ae-8e6c3314a543/resourceGroups/AEU1-PE-CTL-RG-D1/providers/Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/AEU1-PE-CTL-D1-wafAGIC01-policy"
                }
            }

2) Add WAF Policy settings

current behavior

Always deploys app gateway as "Standard_V2"

desired behaviour

Add an extra property to specify the WAF Policy Id, then deploy "WAF_V2" e.g. WAF_V2_PolicyId

ptalekar-intel commented 3 months ago

You could create your own Application Gateway with WAF V2, put it in the desired subnet, and then create the Managed Cluster. Attach the App Gateway while creating the managed cluster.